The Digital Markets Act (DMA): Rules and revelations for travel companies

The way we travel has changed dramatically in recent years. Traveling is an offline experience, but the business of travel has increasingly become digital. The global online travel market is projected to reach close to US $1,464 billion by 2027, up from US $800.72 billion in 2021.

Booking flights and hotels through websites and apps is just one way the travel and tourism industry has gone online. We use digital tools like search engines and social media networks to look for the perfect holiday destinations while sharing our travel experiences on blogs and social media platforms. The data we create has become essential for the travel and tourism industry to tailor services, deliver exceptional experiences and reach potential customers through targeted online marketing efforts.

The increase in data creation — and collection by companies — in all industries over the years has resulted in data privacy laws being enacted around the world to safeguard user privacy. Among these is the Digital Markets Act (DMA), which aims to regulate large tech platforms and tackle concerns around competition, consumer protection, and user privacy. The regulation impacts users in the European Union (EU) and European Economic Area (EEA), as well as businesses that collect data from users in these regions. For the travel industry, the Digital Markets Act means new opportunities to attract and retain customers, and changes in how companies handle user data.

We explore how the travel industry uses customer data, the impact of the Digital Markets Act on the industry, and how travel companies can get ready to comply with the DMA regulation’s requirements.

The travel industry, severely impacted by the COVID-19 pandemic, is projected to bounce back with a strong resurgence in domestic leisure travel by 2024, according to the U.S. Travel Association. Air travel in many regions had already returned to pre-pandemic levels by fall 2023. The World Tourism Organization reports the first quarter of 2023 already saw international arrivals reach 80% of pre-pandemic levels worldwide.

Both the industry and travelers are eagerly trying to make up for lost time. Europe saw a resurgence of 90% of pre-pandemic travel levels, with strong demand from travelers within the region itself. Travel and tourism are forecasted to directly contribute to 17.4 million jobs in Europe by 2028.

The industry spans a range of businesses that impact every aspect of travel for consumers:

• Tourism and destination marketing promotes tourist destinations, landmarks and activities to attract visitors.
• Online travel agencies and platforms that enable users to book flights, trains, hotels and other travel-related services.
• Air travel, which includes airlines, airports and companies related to air travel.
• Accommodation, which includes hotels, motels, resorts and vacation rentals.

Travel companies gather and use data at every stage of the customer journey, from researching destinations to leaving reviews when the trip is done.

Flight choices, favorite destinations, hotel preferences, what they like to eat when they travel, and even the devices they use to book their trips are all valuable information into what makes each traveler unique.

This amount of knowledge enables companies to build travel experiences that meet customers’ preferences and needs.

Customer data makes a real impact on travel companies’ operations and revenue streams.

Knowing a customer’s preferences can help companies proactively offer upgrades, amenities or services that appeal to the customer. When data reveals a guest often chooses rooms with a view or special services, a hotel might offer a complimentary upgrade to a scenic suite or include a spa package to personalize the stay. This targeted approach can make guests feel valued and foster loyalty.

Businesses can analyze booking records and current search trends to predict upcoming surges in interest for specific destinations or types of travel and plan accordingly. For example, if an airline notices a consistent increase in bookings for seaside destinations during certain months, they can anticipate this demand and adjust prices early to balance customer interest and price sensitivity with profitability. Forecasting demand can also help marketing teams adjust their strategies on account of fluctuations based on seasonal travel trends.

Access to detailed customer data enables companies to create focused marketing campaigns. For example, if a travel agency identifies customers who frequently book adventure travel packages, they can specifically target these customers with promotions for upcoming trekking expeditions or off-the-beaten-path travel deals.

Data helps travel businesses personalize and connect with customers effectively. As travel companies suggest destinations and create custom itineraries, they rely on insights from this data to advertise effectively and make offers that stand out.

However, with enforcement of the Digital Markets Act in the European Union and European Economic Area, the rules of the game are about to change.

The DMA introduces a set of rules and obligations for large online platforms, which the European Commission has designated as gatekeepers under the regulation, and which act as intermediaries between businesses and consumers. While travel businesses may not directly fall under its scope, many rely on the gatekeepers’ platforms for data, analytics, advertising, audience access, and more, so requirements of gatekeepers become requirements of these third parties. There are several key provisions of the DMA that will have a direct impact on their operations.

The Digital Markets Act’s emphasis on transparency is set to have a great impact on how travel services are marketed and delivered. Gatekeepers are now required to share information about their ranking systems as well as ad performance data, enabling businesses that advertise to carry out their own independent verification of the ads’ performance.

This shift provides a number of opportunities to travel businesses.

• Understand what makes listings or content rank higher on platforms and adjust their services and promotions to meet these criteria, potentially gaining better rankings and more exposure to prospective customers.
• Compare their own visibility and ranking with competitors and identify areas for improvement to stay competitive within the platform’s ecosystem.
• Refine marketing strategies and resource allocation for improved return on investment and informed, real-time campaign adjustments.
• Form partnerships or alliances with other service providers to create bundled offers or packages that could be more favorable within the algorithm’s ranking system.

The DMA’s transparency requirements also extend to data practices, and gatekeepers must clearly communicate how they gather data and why they use it. Travel businesses that use gatekeepers’ platforms will also have to examine their data practices and introduce a clear, transparent privacy policy that details their use of cookies. Such clarity can foster trust with customers, with the added benefit of potentially deepening customer loyalty for platforms that handle data responsibly.

Transparency challenges for the travel industry

The requirement for transparency brings its own set of challenges, particularly for smaller travel companies, which may find it daunting to interpret the detailed information available from gatekeepers. Adapting to transparent ad performance data could require additional resources in the form of tools or staff to stay on top of campaign analysis and optimization. The need to stay competitive might lead to a rapid change in offers and services, demanding agility and flexibility from travel businesses. This could require additional resource investments by small businesses, which could create a financial burden.

Under the Digital Markets Act, there are specific provisions that reinforce users’ rights to access and move their data (aka data portability). While travel businesses themselves may not be directly regulated by the DMA, their interactions with regulated gatekeepers might require them to adopt similar data portability functionalities. This may compel travel companies to make changes to their technical infrastructure that enable customers to transfer their personal and preference data to competing services.

For instance, a travel business that tracks website performance through Google Analytics 4 or advertises on Meta’s platforms may find that customers, using their new rights under the DMA, request their data profiles to move to a competitor’s service. Although the travel company isn’t a gatekeeper and thus not directly subject to the DMA, it must still be capable of honoring such requests since it uses a core platform service that is mandated to provide portability.

For travelers, the ease of data transfer could simplify a decision to switch services, which may drive travel companies to offer more functions, more competitive pricing, better customer service, and overall enhanced experiences in an effort to retain loyalty.

Mobile app data portability challenges for the travel industry

Travel businesses must be proactive in developing or adopting technology that can handle these data movements and comply with broader DMA-inspired expectations, regardless of whether they are immediately subject to the regulation’s rules.

The data portability requirement of the Digital Markets Act extends to mobile applications as well, impacting how travel companies manage user data on these platforms. Adapting to data portability for mobile apps means ensuring that users can easily transfer their data, such as travel preferences, reviews, or booking history, from the app to other services. This could involve implementing features that enable users to download their data in a user-friendly format or establishing secure protocols for transferring data to another service upon user request.

Moreover, as app users become more aware of their data rights, they might increasingly expect such functionality. Travel businesses that proactively upgrade their mobile apps to facilitate data portability can therefore not only comply with the DMA but also position themselves as customer-centric, potentially leading to higher user retention and loyalty.

Developing and maintaining these tech systems can be complex and costly, especially for smaller businesses. There’s also the chance that customers may not be as dependable as repeat customers if it becomes easier for them to switch to different services. This means travel companies may have to find more innovative ways to improve the customer experience to retain customers.

The Digital Markets Act requires gatekeepers to obtain explicit consent from users before processing their personal data. They must also disclose what the data will be used for, how long it will be stored, and how it may be shared. Generic consent is not enough. Consent must be obtained for each specific use. These requirements are in line with the provisions of the General Data Protection Regulation (GDPR), which travel companies must comply with when it comes to data from users in the EU.

One of the big changes with the DMA is that businesses can’t combine customer data from different platforms to create customer profiles without customers’ specific consent. Travel businesses might collect user data — with valid, explicit consent — from multiple digital platforms. For example, an airline may use its own website and an online booking platform to issue tickets, as well as Google Ads for pay-per-click advertising campaigns and YouTube or social networks for destination marketing campaigns. All these platforms generate data, whether that’s search and browsing history or booking details.

The DMA’s restriction on combining user data from different platforms gives travelers more power over their data, which should lead to better privacy and fewer unwanted sales emails. When travelers do get offers from companies, they’re more likely to be about something they’re actually interested in.

Data privacy challenges for the travel industry

For the travel industry, the challenges are tangible. Failure to comply won’t result in fines or penalties under the DMA for companies that are not designated gatekeepers, but it can result in penalties under the GDPR and restriction from accessing gatekeepers’ platforms. The loss of ad revenue, for example, could be as bad as a hefty fine.

Businesses will also have to adopt data management strategies to ensure that data from different platforms is not combined for profiling without explicit user consent, and that some is not combined — or even collected — at all, like that belonging to minors. In addition, if third-party vendors or partners handle data that originates from the business’s platform, they must vet these companies’ data policies to ensure they align with the DMA’s requirements.

It is increasingly common under data privacy laws that data controllers and any third-party data processors they work with must have contractual agreements in place about processing operations and data security and privacy activities.Companies will also have to rethink their marketing strategies, which have traditionally leaned on extensive data analytics and customer profiling, and find new ways to give travelers the personal touch without stepping on their privacy. Increasingly, “zero-party” data is the gold standard, as this information comes directly from consumers, and includes their expressed preferences, interests, and consent choices.

Consented data helps travel and tourism businesses make better decisions and plan more effectively. The relationship between consent rates and business performance is straightforward. Higher consent rates result in richer, more valuable data for analysis.

Consented data not only enables businesses to tailor their services to individual preferences, but it also signals to customers that their preferences are valued and taken into account. This can lead to higher customer satisfaction rates, stronger customer loyalty, and more repeat business.

Marketing campaigns also benefit substantially from consented data. When travelers agree to share their data, travel companies can create offers that match what they know travelers are interested in and can afford. With more travelers giving consent, companies can plan their online ads and social media activities to connect with the right people on the right platforms, which can lead to spending their marketing budget more wisely.

Travel businesses can strategically adapt to varying consent rates, tailoring their data usage and marketing strategies accordingly.

High consent rates

With more data, travel websites and apps can achieve deep personalization in their customer acquisition strategies.

For example, when a user consents to share their data with an online travel agent, they can track the user’s search patterns, such as the destinations they search for or the type of accommodations they prefer. This information can be used to display tailored pay-per-click (PPC) ads.

The campaign might also use retargeting strategies. If a user visited the online travel agent’s website and looked at a beach retreat but did not book, they could be shown a PPC ad saying, “Still Thinking About the Beach? Click for an Exclusive Winter Wellness Package.”

With higher consent rates, the travel company can continuously gather and analyze user data, which enables optimization of keywords, ad copy and bidding strategies, resulting in ads that resonate more with potential customers.

Moderate consent rates

At moderate consent levels, segmentation becomes key. Although the level of personalization may not be as deep as with high consent rates, travel businesses can still segment their audience based on available demographic information, location and observed behavior, and then tailor their marketing to these segments to acquire new customers.

For example, if a hotel identifies a segment interested in local culture and events, it can create content like a “Cultural Weekend Getaway” package that includes accommodation and tickets to a local museum. This targeted approach would place the hotel’s promotional content on the feeds of those whose social media behavior aligns with an interest in cultural activities and encourage bookings from individuals looking for a culturally enriched stay.

Low consent rates

Even with minimal consent, travel companies can analyze aggregated and anonymized data for broad data trends without knowing personal details.

For example, if the aggregated data for an airline shows that a significant number of users access the website via mobile, they can optimize their website for mobile usage, which is a critical SEO factor. This could include creating a responsive design, ensuring fast page load times, and providing sophisticated search functionalities to ensure users can easily find flight options, increasing the site’s usability and search engine ranking.

Travel companies can make their consent process transparent and straightforward to foster trust and encourage more customers to share their data.

Demonstrate value: Travel businesses should be transparent and share information with customers about how their data will be used. They can explain how it makes it easier for them to share flight deals or hotel stays that are relevant for the customer, which can encourage customers to share more.

Improve the consent experience: Make the process of giving valid consent as easy as possible, which can help increase the number of customers who agree to share their data. This could involve using consent mechanisms that are user-friendly and easy to understand, such as a well-designed cookie consent banner that’s written in simple language.

Gain trust: Use design principles that give users a real choice in whether to give or decline consent. Doing so can demonstrate that you value their data and don’t use dark patterns or manipulative tactics to coerce them into sharing their personal information with you.

Some of the gatekeeper companies — including Alphabet (Google) — have begun to require businesses using their platforms to make certain changes or updates that focus on user privacy in line with the DMA’s provisions.

Google, for example, requires companies that collect data from users in the EU, EEA and/or UK and use its platforms to comply with its EU User Consent Policy or find themselves suspended from the platforms. Companies that use Google’s ad platforms to serve ads to traffic from the EU, EEA and/or UK must specifically use a Google-certified CMP as of January 16, 2024 if they want to continue serving personalized ads to visitors in these regions. As a result of both these requirements, travel companies will have to obtain explicit user consent under the GDPR to collect personal data, which is also the standard of consent under the Digital Markets Act.

Meta has added a paywall for users in the EU, EEA and Switzerland, with the option to pay a monthly fee so their personal data isn’t used for advertising. Users who choose not to pay will have their data collected and processed for personal ads. Travel companies that advertise on Meta’s platforms (Facebook and Instagram) will have to alter their paid marketing strategies to reach a relevant audience.

As communication around DMA requirements is an ongoing process, travel companies should regularly monitor news and updates from gatekeepers and regulatory bodies to stay updated on the steps they’re required to take. They can get ready for the DMA by implementing the changes required by the gatekeeper platforms to continue using the platforms without interruption.

Travel businesses preparing for the Digital Markets Act should prioritize securing valid consent under the regulation. The DMA’s transparency obligations means travel companies need clear privacy policies and easy to understand cookie consent banners. These banners should be straightforward, informing customers about the data being collected and how it will be used, to ensure that any consent given is informed and voluntary.

Using a consent management platform (CMP) like Usercentrics CMP makes collecting valid consent easy for businesses. Usercentrics simplifies the process by providing customizable consent banners that adjust to the user’s location, adhering to local data privacy regulations. It integrates seamlessly with popular content management systems (CMS) such as Adobe Experience Manager, Shopify, WordPress, Duda, BigCommerce and PrestaShop. It also integrates with popular services such as Adobe, Microsoft, HubSpot, and Google’s suite of services to ensure seamless compliance across platforms.

In addition to collecting consent on web browsers, Usercentrics App CMP fully supports your travel booking mobile apps built on iOS, Android, React and Flutter.

Companies should establish periodic internal audits concentrating on data protection impact assessments (DPIA). These audits serve to scrutinize how the company handles user data, checking that storage, processing, and sharing procedures comply with the current standards set by the Digital Markets Act at the time.

By routinely evaluating these practices, travel businesses can adapt to any changes in the regulation, or the advent of future regulations, so that it aligns with its requirements at all audit points.

Travel companies managing customer data across various platforms must develop a meticulous data management approach. This strategy should be capable of handling information across different systems while prioritizing the privacy of travelers and adhering to legal standards. User data must remain confidential and secure at each stage of the process, from collection to storage to use.

Businesses should enlist the help of legal professionals and/or privacy experts well-versed in data protection laws, such as a Data Protection Officer (DPO), to navigate privacy regulations effectively. These experts are adept at identifying specific risk areas within a company’s data handling processes and providing concrete recommendations to enhance compliance in strict accordance with evolving privacy laws including DMA privacy compliance.